The rules for cybersecurity in the EU are becoming increasingly complex. The newly launched "Cybersecurity Certification and Assessment Tools" (CCAT) project, in which the SICP - Software Innovation Campus Paderborn, which is part of Paderborn University, is participating, is responding to this. The aim is to strengthen the implementation of European cybersecurity regulations through innovative open source solutions. The project will run for three years and is being sponsored by the EU with around 4.2 million euros as part of the Horizon Europe programme.
The project will translate the results of state-of-the-art applied research into practical open source tools. The tools are intended to help companies and authorities to reliably implement the requirements of the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA). To this end, they enable the comprehensive analysis of encrypted systems, cryptographic components, security-critical hardware and existing certifications.
The CCAT consortium brings together leading academic and industrial partners from across Europe. In addition to the SICP, Masaryk University (Czech Republic), Università Ca' Foscari Venezia (Italy), Cybernetica AS (Estonia), Monet+ (Czech Republic), 10Sec S.r.l. (Italy) and the University of Tartu (Estonia) are involved. The project is also supported by two associated partners from the Czech Republic: Red Hat and Tropic Square. Masaryk University is coordinating the project.
The tools will be customised by the project partners so that they can be used easily and practically by different users: Regulatory and certification bodies can use the CCAT tools to check the security of specific products and services, while technology developers receive clearer guidelines on how to fulfil European cybersecurity requirements. This involves working closely with users to make the tools more understandable and user-friendly.
Focus on usability
The SICP team led by Prof Dr Yasemin Acar (Empirical Software Engineering) is focusing on the user-friendly design of the tools. "It is important that companies can effectively integrate the tools into the development process," says Prof Acar.
The project methodology is based on four established academic tools that are being further developed and adapted for wider use in both the private and public sectors: The TLS Scanner is a tool for assessing the security of TLS clients and servers to identify vulnerabilities and configuration issues. TLS stands for "Transport Layer Security", a security technology that ensures that data is encrypted and transmitted securely on the Internet. SCRUTINY is a collection of tools for evaluating cryptographic implementations in hardware devices (e.g. smartcards) and software libraries. ALVIE is a tool for analysing the security architectures of embedded systems with regard to vulnerabilities, sec-cert serves as a platform for analysing the environment of certified cyber security products, which maps dependencies between certified products and emerging vulnerabilities.
In the further development of the TLS attacker, the SICP team is drawing on the results of the predecessor project "KoTeBi" ("Combinatorial testing of TLS libraries at all levels"). "As part of KoTeBi, we were able to uncover the weak points in TLS libraries and optimise the analysis tools," explains Prof. Dr. Juraj Somorovsky from the Institute of Computer Science at Paderborn University. "In the CCAT project, we are now adapting the tool specifically to the requirements of the Cyber Resilience Act and EU certifications in order to provide even better support for companies and authorities in security testing."
Project leader Prof Václav Matyáš from Masaryk University summarises: "CCAT combines research, regulation and practice to ensure that European cyber security regulations actually lead to safer digital products for companies, the public sector and everyday users."
This text was translated automatically.
